{"id":5933,"date":"2025-11-25T00:19:00","date_gmt":"2025-11-25T00:19:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5933"},"modified":"2025-11-25T00:19:00","modified_gmt":"2025-11-25T00:19:00","slug":"new-shai-hulud-worm-spreading-through-npm-github","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5933","title":{"rendered":"New Shai-Hulud worm spreading through npm, GitHub"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A new version of the Shai-Hulud credentials-stealing self-propagating worm is expanding through the open npm registry, a threat that developers who download packages from the repository have to deal with immediately.<\/p>\n

Researchers at Wiz Inc. said Monday<\/a> that in the early stages of the campaign late last week,\u00a0 a thousand new GitHub repositories containing harvested victim data were being added every 30 minutes. And researchers at JFrog identified 181 compromised packages.<\/a><\/p>\n

The current campaign introduces a new variant, which Wiz researchers dub Shai-Hulud 2.0, that executes malicious code during the preinstall phase, \u201csignificantly increasing potential exposure in build and runtime environments.\u201d<\/p>\n

The threat leverages compromised package maintainer accounts to publish trojanized versions of legitimate npm packages. Once installed, the malware exfiltrates\u00a0developer and CI\/CD secrets to GitHub repositories, and also inserts the malicious payload into all of the users\u2019 available npm packages.\u00a0Threat actors could also use the exfiltrated secrets to break into and install more malware in victims\u2019 IT systems.<\/p>\n

JFrog said this new variant generates randomized repository names for exfiltration, making it harder for security teams to hunt down and scrub the leaked secrets. JFrog also said the new payload contains new functionality, including privilege escalation, DNS hijacking, and the ability to delete data from the victim\u2019s machine.<\/p>\n

Multiple popular packages used by developers, including those from Zapier, ENS Domains, PostHog, and Postman, have been compromised.<\/p>\n

Researchers at ReversingLabs also noted <\/a>the list of compromised packages includes AsyncAPI related packages, including @asyncapi\/specs<\/em><\/a>, which has had more than 100 million lifetime downloads and an average of 1.4 million weekly downloads. This package in particular is also believed to be the \u2018patient-zero\u2019, or the first known infected package, for this wave of attack, the researchers added.<\/p>\n

Second wave is bigger and faster<\/h2>\n

Developers and security teams looking for indicators of compromise should note that the new variant adds two new payload files: setup_bun.js<\/em> and bun_environment.js<\/em>.<\/p>\n

\u201cThe re-emergence of the worm indicates that this remains a current and serious threat to the npm ecosystem,\u201d said Johannes Ullrich<\/a>, dean of research at the SANS Institute. \u201cCSOs must address this threat by monitoring the components used in their software and hardening their CI\/CD pipelines to increase resilience in the event that malicious code is executed.\u201d<\/p>\n

Shai-Hulud first emerged in September<\/a>, revealed by the discovery that dozens of npm libraries, including a color library with over 2 million downloads a week, had been replaced with malicious versions.<\/p>\n

The initial Shai-Hulud wave was already one of the most severe JavaScript supply-chain attacks Wiz has seen, Merav Bar<\/a>, a company threat researcher and co-author of the report told CSO<\/em>. \u201cThis new wave is bigger and faster: more than 25,000 attacker-created repos across roughly 350 GitHub users, growing by about 1,000 repos every 30 minutes, with malware that steals developer and cloud credentials and runs in the preinstall phase, touching dev machines and CI\/CD pipelines alike. That combination of scale, speed, and access makes it a high-impact campaign.\u201d<\/p>\n

Assume compromise<\/h2>\n

If an individual had pulled any of the affected packages during the November 21\u201323 window, she said, they should assume their environment is exposed. Remedies include clearing the npm cache on their workstation, removing node_modules<\/em>, reinstalling from clean versions, or pinning to versions published before the malicious releases, and rotating any tokens or secrets that were present (GitHub PATs, npm tokens, SSH keys, cloud credentials).<\/p>\n

Enabling strong MFA on GitHub\/npm and watching for unexpected new repos or workflow files in the developer\u2019s personal account is also critical, she added.<\/p>\n

Shai-Hulud\u2019s second wave isn\u2019t surprising, said Brad LaPorte<\/a>, cybersecurity advisor at Morphisec. \u201cThe first attack showed how easily preinstall scripts could be weaponized. This wave proves what happens when those warnings aren\u2019t acted on: larger scale, more destructive payloads, and automation that infects thousands of repositories in hours.\u201d<\/p>\n

Recommendations for repositories<\/h2>\n

To stop attackers from easily uploading malicious packages, npm needs to tighten its publishing process, LaPorte said, including ensuring the identity of new accounts is verified before they are allowed to publish packages; implementing rate limits to prevent attackers from uploading multiple malicious packages in a short period and monitoring package maintainers for suspicious activity such as sudden spikes in publishing or packages with significant unexplained changes.<\/p>\n

\u201cFrom what we\u2019ve observed in the Shai-Hulud incidents,\u201d said Bar of Wiz, \u201cthe core issue isn\u2019t npm specifically. It\u2019s that open-source registries now function as high-impact distribution hubs, and attackers are taking advantage of how much trust developers place in them. In that context, the most important thing is continuing to strengthen the guardrails around how packages are published and updated. That includes making it harder for compromised maintainer accounts to push malicious versions, increasing visibility into unusual publishing behavior, and helping downstream users quickly understand when a package version may be unsafe. Those are ecosystem-level defenses rather than criticisms of any single registry, but they reflect the direction the entire open-source community will need to move as attacks like Shai-Hulud become more automated and far-reaching.\u201d<\/p>\n

Ensar Seker, CISO at SOCRadar, cautioned that Shai\u2011Hulud isn\u2019t what he called typical package compromise. \u201cIt\u2019s a worm embedded into the dev supply chain. It signals that attackers are shifting from targeting compiled binaries and runtime environments toward the very processes developers use to build and ship software. No organization should assume, \u2018We don\u2019t use npm, so we\u2019re safe\u2019, because even downstream dependencies or dev toolchains can become the launch pad.\u201d<\/p>\n

So far npm has focused on ensuring that package authors are properly authenticated and that packages are not altered after being published, said Ullrich of the SANS Institute. But, he added, this does not prevent a malicious actor from publishing malicious packages. Recently, npm further restricted the default access token lifetimes and started to revoke legacy \u2018classic tokens,\u2019 he acknowledged. \u201cnpm may need to implement some form of automated scanning for obvious malicious content, but it will be difficult to implement a meaningful solution.\u201d\u00a0<\/p>\n

Recommendations for security teams, developers<\/h2>\n

Wiz says security teams in organizations with application developer teams that use npm \u2013 and individual developers using npm and GitHub \u2013 should:<\/p>\n

clear each developer\u2019s npm cache;<\/p>\n

pin dependencies to known clean versions or roll back to pre-November 21 builds;<\/p>\n

revoke and regenerate npm tokens, GitHub PATs, SSH keys and cloud provider credentials;<\/p>\n

enforce phishing-resistant multifactor authentication for developer and CI\/CD (continuous integration\/continuous delivery) accounts.<\/p>\n

Within GitHub and CI\/CD environments, they should search for newly-created repositories with \u2018Shai-Hulud\u2019 in the description, review unauthorized workflows or suspicious commits referencing hulud, and monitor for new npm publishes under their organization.<\/p>\n

For long-term protection CSOs and IT leaders are urged to restrict or disable lifecycle scripts (postinstall, preinstall) in CI\/CD environments, limit outbound network access from built systems to trusted domains only, and make sure developers use only short-lived, scoped automation login tokens.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A new version of the Shai-Hulud credentials-stealing self-propagating worm is expanding through the open npm registry, a threat that developers who download packages from the repository have to deal with immediately. Researchers at Wiz Inc. said Monday that in the early stages of the campaign late last week,\u00a0 a thousand new GitHub repositories containing harvested […]<\/p>\n","protected":false},"author":0,"featured_media":5934,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5933","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5933"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5933"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5933\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5934"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5933"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5933"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5933"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}